Have you entered your SPRS score yet? Don’t be caught off guard!
Many think they can put off entering a score into the Supplier Performance Risk System (SPRS) until they get a new DOD contract. This is not true, as any modification or renewal to your contract will require that a score be entered before it can be awarded. In addition, Prime contractors are now coming after their subcontractors that have not updated SPRS, and they are sometimes less forgiving.
SPRS requires an assessment of the controls contained in NIST 800-171. How many controls are applicable depends on the type of data you access in your contract. If it is just FCI, then you only have to deal with 17 controls and it is a relatively easy task. If your organization processes CUI, however, you need to process all 110 controls that are contained in NIST 800-171. Once the assessment is complete an SPRS score is calculated based on your level of compliance with these controls.
What do you need to enter your SPRS score?
- A System Security Plan, which is required before an assessment can be performed and is used during the assessment.
- A NIST 800-171 controls assessment score.
- A Plan of Action and Milestones (POA&M) to address any outstanding items. (Essentially a corrective action plan.)
Where do you go to enter your score?
To access the NIST SP 800-171 Assessments module, users must be registered in the Procurement Integrated Enterprise Environment (PIEE) and be approved for access to SPRS. An “SPRS Cyber Vendor User” role is required for companies to enter/edit basic self-assessment information.
Here is the URL: https://www.sprs.csd.disa.mil/nistsp.htm
SPRS provides contracting officials with a method to gauge the overall assessment of the supplier performance and supplier risk. Using the Supplier Risk Score, contracting officials can identify “high risk” suppliers and assess the likelihood of the non-fulfillment of terms of contract, unsuccessful performance, or delivery delays. It also provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains assessment date, score, scope, plan of action completion date, included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level. The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments.
For preparation information including our assessment methodology, and how we can calculate your score, please contact Phil Norton at BSC Systems at (703) 405-7131. We would be happy to discuss your requirements and would welcome the opportunity to be of service.